homeassistant-skill

clawhub:homeassistant-skill

View source

85/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

85/100

HIGH 1

LOW 1

Findings (2)

HIGH

Internal IP range access SSRF_002

ssrf-cloud L20

Detects references to private/internal IP ranges in URL context

http://10.0.0.10:

FIX

Implement URL allowlisting for all outbound requests. Block requests to private IP ranges (10.x, 172.16-31.x, 192.168.x), localhost, and link-local addresses.

FP?

Likely FP if the match is a localhost URL used for local development (e.g., http://localhost:3000) in setup documentation.

LOW

External API response used without validation THIRDPARTY_004

third-party-content L498

Detects patterns where external API responses are used directly without validation or sanitization

service data + without explicit use

FIX

Validate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.

FP?

Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.